I started a series on Wi-Fi protocol analysis tips, beginning with the use of Wireshark Packet Colorization for easy visual identification of packets of interest, common frame exchanges, and anomalies in large trace files. I also detailed how to identify the SSID to BSSID Mappings on Cisco wireless equipment for focused analysis.

Secure Wi-Fi Hotspots are continuing to get a lot of attention, as they should. This is a necessary evolution to make Wi-Fi network access ubiquitous and secure for the next generation of mobile applications and services. When the EFF and BBB have come out criticizing the state of the industry, it's time to step up and develop a solution! How much more clear can it be... are the Wi-Fi Alliance and their industry leading members listening? Carrier Hotspots do not go far enough and leave out independent hotspot operators! Is this due solely to backroom financial deals, or are they just out of touch with their own customer's needs?!

Wi-Fi calling is gaining quite a following by current T-Mobile subscribers (and some technically inclined user on other carriers). Personally, I use Wi-Fi calling with Google Voice and Talkatone as an AT&T subscriber and have better voice service and call quality. I can't wait for this service to grow!

Matthew Norwood asks, if everyone has an angle then "Who Do You Trust?" when it comes to vendor or consultant pitches. A good reality check on taking information with a grain of salt and verifying claims.

This can aid risk assessment efforts by reducing the labor and time involved in scouring historical security advisories, or maintaining an archived list of vulnerabilities that affect deployed platforms and software versions in your environment.

The tools is very easy to use, and the results appear accurate (although Cisco does reiterate that this tool does not replace the list of affected software versions and fixed versions listed in individual security advisory notices).

Note - This tools currently only supports devices running Cisco IOS software. Platforms such as the Wireless LAN Controllers or Adaptive Security Appliances are not supported.

Step 1 - Select the method to use within the tool
Three options exist:

Search by Cisco IOS Software Release - Select one or more software versions from the list.

Use Show Version Command Output - Copy and past the "show version" output from a device.

Upload a Text File from Your Local Workstation - If you have multiple software versions that you need to check, you can upload a file from your workstation that includes this list.

Step 2 - Select the Security Advisories to Search

This may include all previous security advisories, only the latest bundle, or a list of specific advisories.

Step 3 - Review the Results

A list of security advisories that affect the selections made in steps 1 and 2 are displayed for review.

This example shows the results for Cisco IOS version 12.3(8)JEA3 for Aironet wireless access points and all previous security advisories.

Revolution or Evolution? - Andrew's Take

This tool provides an easy method to review vulnerabilities that affect current software versions deployed in your environment, with links to each security advisory for more detail. Use this tool as a first step in assessing the risk to your environment, determining priorities, and developing action plans to remediate those risks.

Modern enterprise-grade wireless networks have the ability to provision multiple SSIDs on the same radios. This is very beneficial to support varying wireless requirements using the same physical infrastructure.

This is not a new concept, and has been around for quite some time. However, with the common practice by most wireless manufacturers to use a unique BSSID for every SSID, administrators often have to figure out which BSSID maps to each SSID when performing protocol analysis. This can get tricky at times, especially when SSIDs are not broadcast and client traffic is minimal. It may take a while for a protocol analyzer to capture a probe response or association response that includes the SSID. Manual verification of the BSSID can be quicker in some cases.

Cisco Autonomous BSSID Mapping
The older Cisco Autonomous access points gave administrators this capability, but with two slightly different configuration options. By default Autonomous access points supported multiple SSIDs overlaid on top of a single BSSID. This meant that only one beacon was sent out and supported all SSIDs configured on the radio. The restriction with this method was that only one of the SSIDs could be used in guest-mode, which was Cisco's terminology for broadcasting the SSID. It also made supporting different capabilities between SSIDs more difficult, since there was reliance on the client to perform active scanning and be able to correctly interpret differences between the beacon information and probe response information, if different.

The second option was to enable multiple-BSSID, which then created a unique BSSID for every SSID created on the radio. Additionally, since beacons are sent for every BSSID, SSID broadcasting could be configured independently for each. Enable multiple-BSSID globally with the command: dot11 mbssid, or on individual radios with the command: mbssid.

To view Autonomous BSSID mappings for either scenario, issue the following command:show dot11 bssid

Monday, April 25, 2011

Two weeks ago I attended the Certified Wireless Analysis Professional (CWAP) version 2 beta class, held by CWNP Inc. The class was full of wireless LAN experts and was a great opportunity to share experiences and perspectives on wireless protocol operations (and to network with professionals in the field). Numerous times throughout the course attendees would exchange relevant details, tips, and tricks they found useful in real-world networks to analyze the environment. This allowed attendees to share valuable expertise they have acquired with others and promote knowledge sharing within the community.

I would like to share a few tips and tricks that I use with the broader Wi-Fi community as well.

Using Wireshark Coloring Rules to Enhance Wi-Fi Protocol Analysis
Speed up your protocol analysis kung-fu by using Wireshark coloring rules. By using packet colorization, engineers can quickly identify and find packets of interest that warrant deeper analysis within large trace files. Coloring rules can be defined in the View > Coloring Rules menu section.

Often times, engineers are using protocol analysis to either understand how a protocol operates or to troubleshoot an issue. Therefore, you may not know exactly what you're looking for until you find an anomaly or start digging deeper into a sequence of packet exchanges. When was the last time a support ticket came in with packet analysis level detail like "our handhelds are being de-authenticated by a rogue wireless IPS system"? Yeah, never.

In order to help you spot interesting packet exchanges during your initial scan of the packet trace, use coloring rules to visually distinguish common protocol exchanges and anomalies. Coloring rules use the same syntax as Wireshark Display Filters. As you find new protocol fields or interesting packets as you analyze various situations, simply create a display filter and copy it into a new coloring rule.

Here is an example of a packet trace where packet colorization indicates a station's probing (blue) and roaming (green) behavior.

Since most wireless networks are encrypted to meet security requirements, most protocol analysis will focus on layer 2 network operation. As such, the default coloring rules provided with Wireshark usually have little to no value for wireless engineers. Create your own custom coloring rules using Wi-Fi protocol fields found in the layer 2 header. Wireshark provides a WLAN display filter reference listing all of the available wireless fields for use in display filters.

Note - Coloring rules are applied in top-down order. If multiple coloring rules match the same frame / packet, then the higher rule is applied for colorization. Carefully select the order of coloring rules to highlight packets in the desired manner.

To help you get started, here are some of my favorite coloring rules / display filters (you download this text file and import it into Wireshark):

802.11 Bad FCS
This indicates frames which were not received correctly. This is common in wireless protocol analysis due to signal differences that may exist between the intended receiver and the analysis station. These frames should be ignored as the information is likely corrupt and incorrect.

wlan.fcs_bad == 1

802.11 Retries
This indicates frames which were re-sent by the transmitting station, indicating RF collisions, interference or multipath. Retransmissions are common in all wireless networks, and engineers should baseline normal conditions in each environment to understand what level is abnormal. Real-time applications such as voice may require lower level of retries than other applications (typically <10%).

wlan.fc.retry == 1

802.11 Probing
This indicates when wireless clients are probing for infrastructure access points in preparation for a future roaming event. Behavior will vary between client devices, and can impact battery life for highly mobile clients. Additionally, poor roaming implementations can be identified if clients wait too long to probe for new access points and complete a roaming event prior to application impact.

wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05

802.11 Roaming (802.11 authentication, (re)association, and EAPoL / EAP)
This indicates when a wireless client roams to a new access point and can be useful to analyze total time required by a client to complete a roam, time to complete various stages of a roam (association, EAP authentication, 4-way handshake, etc.), or to diagnose at which stage in the process a roam fails.

wlan.fc.type_subtype <= 0x03 || wlan.fc.type_subtype == 0x0b || eapol

A few others that I like include 802.11 fragmentation, de-authentication, and unencrypted data.

The saying goes "you're only as good as the tools you use". Take the time to invest in your tools and learn how to properly use them to be a better engineer.

Cheers,
Andrew

P.S. A huge thanks to Kevin, Marcus, and Abbey at CWNP Inc. for organizing such a great course! The CWNP program is the best in the industry. I always look forward to the high quality content your company produces and the fostering of such a great wireless community!

Administrators can opt to configure the HiveAPs through the Guided Configuration or the Advanced Configuration. I recommend that administrators use the guided configuration until they are comfortable and fully understand all of the settings contained in the advanced configuration section.

Guided Configuration

As the HiveManger online help system states:

"When you first start using HiveManager, the number of configuration objects can be somewhat overwhelming. Common questions that arise at this stage are "What do I need to configure?" and "Where do I begin?"

HiveManager Guided Configuration Section

Luckily, the HiveManager Guided Configuration takes the administrator through the basic configuration steps required to setup HiveAPs to get a WLAN up and running. Navigate to the "Configuration" section of HiveManager. The Guided Configuration section will be visible along the left side of the screen (shown right).

To create a basic configuration to get up-and-running, we'll tackle the basic settings for each of the four objects described in the HiveManager workflow, as well as provide an overview of the optional settings in each section. Note - we will configure individual "HiveAPs" at the end, as it makes a bit more sense to do this last.

Additionally, the HiveManager Help system is context-sensitive, so if you get stuck or need to lookup an item you are unfamiliar with you can simply select Help > HiveManager Help from the upper right corner.

Note - Configuration of these profiles does not affect the current operation of the wireless network until they are applied to HiveAPs and the updated configuration is pushed out, which is covered at the end of this article.

User Profiles

Create a new user profile which controls the default settings applied to users mapped to this profile. User profiles can be applied to users statically through SSID assignment or dynamically through RADIUS assignment based on returned attributes by the server.

Basic settings include the default VLAN access and the Attribute Number used for RADIUS policy assignment of users into the correct user profile. RADIUS attributes 64, 65, and 81 are used for both VLAN and User Profile assignment, with different values of-course (shown below).

Optional settings in this section include GRE or VPN tunneling for station isolation (guest WLANs) or other security requirements, L2/L3 firewall policies, QoS settings for rate limiting, queuing, and call admission control (CAC), user profile availability schedule (day & time restrictions), and SLA settings for throughput and airtime fairness.

It should also be noted that many of the settings nested within these main objects are linked to corresponding Advanced Configuration objects. These links can be followed by clicking on the "Plus" (Add) or "Notepad" (Modify) icons next to the configuration item. Once the advanced item has been configured, the user is returned to the main object to continue configuration where they left off.

Link to Add or Modify an Advanced Configuration Item

SSID Profiles

Within the SSIDs configuration section, administrators define logical wireless networks that control the methods by which client and access points communicate with each other, which often includes authentication and encryption settings (as shown below).

SSID definition and security settings configuration in HiveManager

Advanced Access Security Settings can be displayed where indicated by the red line by clicking the link in the figure above. This allows the administrator to fine-tune Group and Pairwise (User) encryption key lifetimes and timers, including an option to enable Proactive / Opportunistic Key Caching (PKC/OKC).

It should also be noted that Aerohive has developed a unique feature called Private Pre-Shared Key (PPSK), that enables the provisioning of unique PSKs to individuals, rather than sharing a single WPA/WPA2 PSK with everyone on the same network. This prevents users from eavesdropping on each other, makes network access revocation tied to individual users, and eases access revocation by eliminating the need to update PSKs on all workstations any time an individual user access is revoked. This is a great feature for small businesses with growing user bases to maintain network security and manageability without having to invest in enterprise class authentication with 802.1x/EAP. Often times small businesses struggle with the expertise, expense, and support involved with deploying an 802.1x solution, and this helps them transition and scale until they are ready. PPSKs are also useful in guest networking scenarios as an alternative to an open network, typically with a clerk, concierge, or attendant providing guests with unique PSKs upon arrival at the establishment.

User profiles are also assigned to users connected to this SSID. In the User Profiles for Traffic Management section, define the default user profile for all users accessing this SSID. Optionally, if using WPA/WPA2 802.1x (Enterprise) also select the user profiles that are allowed to be dynamically assigned to users by a RADIUS server. If the RADIUS server does not return a user profile attribute, or returns a non-selected user profile from the list, then the default user profile is applied. For advanced security, strict enforcement of selected user profiles available for dynamic assignment can be applied, and can be configured to instruct the access point to either disconnect the user, ban the user for period of time (e.g. 60 sec.), or ban the user forever. This is a great security feature which allows a single RADIUS server (or server cluster) to handle authentication for multiple user groups while still enforcing strict network access policies. This prevents SSID hopping whereby a valid user who authenticates successfully connects to a different SSID to gain higher privileged network access rights.

The WLAN policy is the top-level object underneath which all other configuration objects are stored (except for individual HiveAP settings), and are pushed to HiveAPs to apply the operational network settings. As such, the WLAN policy ties together many objects which have previously been configured with a few new ones.

After giving the WLAN policy a name and description, define the Hive that will be used for all access points which are assigned this WLAN policy. A Hive essentially allows multiple HiveAPs to coordinate distributed wireless network control plane and data plane operations, forming a virtual software controller using Aerohive's Cooperative Control architecture. This includes forwarding and routing paths, consistency of QoS and firewall policy enforcement, layer 2 and layer 3 client roaming, and radio frequency and power management. Hive members may be on the same subnet or different subnets. It is recommended that all HiveAPs which clients can seamlessly roam between (without disconnecting) be included in the same Hive.

Configuring a WLAN Policy in HiveManager

Next, add one or multiple SSID profiles to the WLAN policy, which defines the SSIDs that will be pushed to the HiveAPs for network access. Also define the default management interface VLAN and native (untagged) VLAN for the HiveAPs. These VLAN settings help administrators segment management traffic from user traffic to meet performance and security requirements common in most organizations.

Note - QoS classification and marking is performed globally within the HiveAP, but QoS queuing structures are defined per user-profile.

Note - If you plan on assigning HiveAPs static IP addresses, ensure that DNS servers are defined in the WLAN policy applied to the AP so that it can resolve and connect to HiveManager.

Individual HiveAP Settings

In addition to User, SSID, and WLAN Policy settings, unique settings can be configured for individual HiveAPs. Select the "HiveAPs" link from the Guided Configuration section, which will redirect to the Monitor > HiveAPs screen. Be sure to select the "Config" option button before drilling into an AP to modify the configuration instead of viewing statistics.

Once in an individual HiveAP, administrators can configure various settings that are typically unique to a single AP. These include host name, map location, assigned WLAN policy, radio modes (access, bridge, mesh), and static channel and power settings.

Configuring individual HiveAP settings

Note - To assign a WLAN Policy to multiple HiveAPs at once, select the check boxes next to each HiveAP in the Monitor > HiveAPs screen and click the Modify button. A subset of HiveAP settings are available for configuration across the selected APs.

Now that all four of the Guided Configuration sections have been completed, it's time to deploy the configuration to HiveAPs.

As a precautionary step, review the configuration audit status of the access points prior to deployment to verify accuracy of the updated configuration that will be pushed to the AP. To do this, navigate to the Monitor > HiveAPs screen, ensure the "Monitor" radio button is selected, and click the red triangle next to a HiveAP to view the configuration audit.

Viewing HiveAP configuration audit details

If satisfied with the configuration items, check the box next to every HiveAP to be updated and select the Update > Upload and Activate Configuration button. Configure the desired settings which instructs how HiveManager peforms the upload, including either a complete or delta upload and activation schedule, then click the save icon. The settings section will roll upwards, allowing the administrator click the Upload button and push the settings to the HiveAPs.

Configuring the HiveManager Upload Settings

The user will be redirected to the HiveAP Update Results screen, which will show the progress of the upload and report any issues that may occur.

Viewing HiveAP Update Results

If successful, the settings configured in HiveManager are now active on the HiveAPs and the wireless network should be fully operational.

Tuesday, April 19, 2011

Now that the Aerohive HiveAPs have been provisioned so they can discover and connect to a HiveManager management server, let's dive into how HiveManager handles configuration workflow, object definition, and nesting. This will serve as a foundation to prepare us to deploy an initial configuration to our HiveAPs.

The HMOL dashboard shows a new access point is connected

Initial Configuration State
Log into the HiveManager dashboard to get started. If you're using Aerohive's cloud management service, connect to HiveManager Online (HMOL) at https://myhive.aerohive.com and login using your supplied account credentials. From the "Navigate myHive" splash page, select "HiveManager Online" to access the management console. Once there, you should see the new access point listed in the Dashboard.

Navigating over to the Monitor - HiveAPs section, you can see that the access point connection details. You can also get to this page by clicking the "Number of New APs" hyperlink from the Dashboard.

The HiveAP monitor page shows the access point connection details

On this screen, notice that the AP is currently connected (green chain-link), the connection is secured (green padlock), and it is in Portal mode which integrates directly with the Ethernet network, as opposed to a Mesh Point that uses a wireless backhaul into the network through other mesh points or a portal.

Hovering over the red triangle in the audit column displays the pop-up message telling you that no configuration has been pushed to the AP yet. The red triangle alerts administrators that the current configuration on the AP does not match the desired configuration based on HiveManager templates assigned to the AP. Two green squares in the audit column would indicate that the configuration matches the defined template and no action is necessary.

HiveManager Configuration Workflow
Before jumping into the configuration, it's important to understand the workflow used within the system to define configuration items and how items relate to one another. Many enterprise wireless vendors implement a logical nesting, or roll-up, of foundational configuration items into larger groupings / profiles which then are applied to the equipment. This allows for creation of multiple profiles and easier testing, verification, and deployment.

The HiveManager configuration workflow consists of the following configuration items, nesting relationships, and profile objects which are then assigned to individual HiveAPs:

It is readily apparent from this workflow that configuration of four main objects is required:

User Profiles

SSIDs

WLAN Policies

Managed HiveAP Settings

Now that we have an understanding of the logical workflow and object nesting within HiveManager, we are prepared to define and deploy a working configuration to our HiveAPs.

Monday, April 18, 2011

Many customers have confusion around which access point model to select based on various factors including pricing, feature sets, performance, and other factors. This is true for almost every vendor product line, but especially so with large vendors and complex website navigation. With multiple product offerings in very similar technology space, customers are often confused about product differentiation that is almost always not apparently clear in documentation.

In fact, most vendor marketing material and product data sheets gloss over technical differences, focusing on marketing literature on the "positive" side of the equation for each and every product they have. As a customer, how are you to distinguish amongst multiple offerings, each touting how they enhance your business and deliver unparalleled services above the competitors?

Sunday, April 17, 2011

Cisco just released wireless LAN controller code version 7.0.116.0, which includes a laundry list of new features. Many of these new features have been in development for quite some time, and both partners and customers have been anxiously awaiting several.

Here are some of the notable new features and what they will mean for customers:

WIPS Enhanced Local Mode
This feature places a subset of Adaptive WIPS capabilities into access points operating in Local or H-REAP modes. Traditionally, Cisco aWIPS required Monitor mode APs. Now customers can get most of the benefits of an in-depth aWIPS deployment with the same access points that service client connections, without having to spend additional money on dedicated monitor APs. The solution still requires the WCS and MSE platforms, but can reduce CapEx and OpEx costs for customers. It is designed primarily for retail customers with distributed branch offices needing to maintain PCI compliance in the face of expanding mobile retail initiatives.

By my count, ELM supports detection of 35 of 48 attacks available in the full aWIPS solution (~73%). The majority of missing attack detections are comprised of some RF DoS and Zero-Day attack detection capabilities, which are arguably not the most severe attacks (DoS) and are notoriously hard to baseline against false-positives / negatives (Zero-Day).

Additionally, the focus of ELM attack detection is on the current operating channel of the AP, and has limited visibility into off-channel attacks through RRM off-channel scanning. This makes sense since the network infrastructure is performing double-duty serving clients and detecting attacks. This should not be an issue for larger network deployments with multiple APs covering most or all of the available channels. For smaller installations, this could present a serious problem however, and reduce effectiveness of the solution. However, this solution is arguably aimed at the larger retail deployments where the expense of deploying dedicated Monitor mode APs has been a problem.

All in all, larger customers should take a look, while smaller customers will probably opt for a dedicated WIPS solution.

H-REAP fault tolerance improves operation by removing the requirement for H-REAP mode APs to reboot when moving from standalone back to a connected state. Previously, H-REAP APs move into standalone mode without affecting locally-switched clients, but when re-joining a controller they were required to reboot and download a complete configuration which caused a service disruption during the fail-back process. Now the AP is able re-join the controller without impacting client service or rebooting, assuming it can verify the configuration matches.

In addition, H-REAP WAN latency may now exceed 100ms (upwards of 2 seconds) provided customers use H-REAP Local Authentication of clients using the internal user list pushed to the access points.

H-REAP Opportunistic Key Caching (OKC)
Previously, H-REAP access points only supported CCKM key caching for fast roaming. Now it supports both CCKM and OKC, which should provide much broader support for fast roaming with many more clients in typical customer environments. Note that both CCKM and OKC still require the 802.1x/EAP key derivation to be completed through the controller. Any keys derived while the H-REAP AP is in standalone mode (disconnected) will not support fast roaming between multiple APs.

I will also be awaiting 802.11r Fast BSS Transition support in H-REAP APs once broader market support and adoption are achieved through the Wi-Fi Alliance Voice Enterprise Certification (due out in 2011).

Cisco Identity Services Engine (ISE) Support
Cisco's next-generation ISE product provides context based access controls and integrates several services into a cohesive platform, including the Cisco Secure ACS authentication and Network Admission Control (NAC / Clean Access) products. This platform enables organizations to enforce network access policies based on a combination of user and device identity, and will be integrated into wireless, switch, and router platforms with software updates.

ISE addresses customer needs for granular access control beyond VLANs and IP subnet policies, acknowledging the need for deeper insight into the context of the client session to drive policy enforcement. A common scenario for this today might be differential network and application access based on user and device, differentiating access by an employee on a laptop versus an iPad. ISE is part of the Cisco TrustSec solution.

VLAN Select
This feature enables pooling of multiple VLANs into a group for assignment to a single WLAN SSID or AP Group. Large wireless installations have traditionally required a single large subnet and broadcast domain to accommodate the number of wireless clients on a single SSID, dynamic VLAN assignment, or the use of multiple SSIDs which can introduce roaming latency and problems. VLAN Select allows client connections to a single SSID to be round-robin load-balanced into multiple network VLANs to reduce subnet size and broadcast / multicast forwarding concerns.

Another use-case for VLAN Select is with guest termination in a DMZ environment. Large guest networks also traditionally required large subnets or multiple anchor controllers to segment the client population into smaller broadcast domains. This resulted in additional CapEx to buy more anchor controllers, since a single anchor controller could only use a single VLAN attached to a WLAN. Now, multiple VLANs can be tied to the same WLAN through VLAN Select, reducing the need for multiple anchor controllers.

I have update my post on H-REAP Deployment Guidelines and Feature Limitations to include these new enhancements, as well as a few others including security feature integration with Cisco switches. It's worth a read to review the current state of H-REAP functionality and limitations with the new 7.0.116.0 code release.

Have you found yourself wondering how you can be notified when the next release of Cisco code becomes available, or when critical field notices, security advisories, or end of sale notices are released? Rather than relying on word of mouth or constantly checking Cisco's website, try using the Cisco Notification Service.

The Cisco Notification Service allows existing Cisco customers with a valid CCO login to subscribe to product notifications when they are released via email or RSS. Here is how to set them up.

1.) First, login to your CCO account and navigate to the Support > View All Support Tools and choose Cisco Notification Service from the list.

2.) You will land at the Cisco Notification Service - Profile Manager page. Here you can see that I have two existing notifications. To create a new one, select Add Notification. This will create a new notification profile attached to your CCO account.

4.) Select the topic type. Options include notifications that are product-centric, alert-centric, or related to bug IDs. For this example, I have chosen product-centric.

5.) Next, select the topic from the tree. In this case, I have selected the 5500 Series Wireless LAN Controller.

6.) Select the sub-topics for which you would like to receive notifications. Note that not all sub-topics can be chosen simultaneously within a single selection; multiple sub-topic definitions can be defined within the same profile however.

7.) Finish the sub-topic selection by specifying any additional filter information as necessary. In this case, I have opted to be notified for any software version released.

8.) The sub-topic configuration is now complete. Select Add Another Topic to add more sub-topics to this notification profile if desired (for instance if some selections were mutually exclusive in step 6 above). When finished, select Finish.

That's it. The new notification profile has been added to your account. It may be in the Pending state until email verification is completed.

Now you can receive important product, alert, field notices, end of sale notices, or bug ID updates as they are released for the products or topics that you care about without having to manually check Cisco's website.

Monday, April 4, 2011

I recently completed the CCIE certification program by passing the CCIE Wireless lab exam. Having been on this journey for the better part of a year and a half and achieving success, I thought that I would share some of my experiences and tips. Ultimately, everyone's journey to acquiring their digits will be different. But some of the same underlying themes and methods are applicable for everyone.

Here are some of my recommendations for those interested in pursuing CCIE certification:

10. Love the Track You Select
I think this is a fairly obvious one. You have to love the technology and have a passion for it. You will be devoting a large amount of time into studying and if you don't love the subject, then you won't stick with it. If you want the CCIE certification solely to enhance your resume, get a better job, or get better pay, chances are you won't succeed. Granted, some might, but most won't. Every CCIE that I meet has a genuine passion for the technology; the resume, job, and pay benefits are icing on the cake.

9. Join a Community
Attempting to study alone is possible, but definitely much harder. Try to find a community of others studying for the same track as you. This will allow you to benefit from the various strengths of individual study group members. Each person will have different backgrounds, experience, and perspective. By learning from other's strengths, you strengthen your understanding of the topics you may be weak in. Additionally, a study group will shorten the amount of time you spend researching topics and allow you to focus on absorbing the knowledge, not hunting for answers. These communities exist is many different forms, from local Cisco User Groups to bootcamp classmates and online discussion boards (such as Twitter). Get involved, and do it early on in your studies!

8. Know Your Learning Style
Take the time to understand how you learn best. What is the most effective method for you, individually, to understand and commit knowledge to memory? Often times you can recognize your learning style by recollecting your "AHA!" moments. What made the light bulb go off and allowed you to truly grasp a topic?

Perhaps your a aural learner and like webinars or electronic training material. Instead, you could be a visual learner and classroom training or a bootcamp would be more beneficial. Or maybe you learn best when reading printed material and pouring over design guides, whitepapers, and tech notes should be your focus. And let's not forget the most important method for a CCIE candidate, tactile learning. The lab exam is 100% hands-on, in the equipment, building working networks.

Whichever method is your focus, understand that you will likely need to combine all the methods in some fashion during your studies. There is no one single source for all the information you will need to pass the CCIE lab exam. A single week-long bootcamp will not magically make you and "expert", there is simply too much material to cover for it to be all-encompassing.

7. Essential Study Preparation
Take the time up-front to understand where the information you need resides. Build a list of sources and keep the list updated as you progress through your studies. The first and most important source is the lab exam blueprint. This should form the outline for your studies, and serve to shape and focus your attention on the topics relevant to the exam. The CCIE lab is notoriously broad, in all tracks. There are already a ton of topics, features, and nuances to know to pass the exam; don't make it even harder by studying topics outside of the scope of the blueprint. The one exception to this is fundamental concepts that must be understood for more advanced in-scope topics.

I would suggest that candidates document their research and findings thoroughly by taking notes as they study. As a first step, consider creating the document outline directly from the lab exam blueprint. By taking notes you will absorb and retain the information more thoroughly. Additionally, summarizing information into a condensed format is essential for reviewing topics again in the future. Make no mistake, you will be re-visiting every topic on the blueprint multiple times. The last thing you want to happen is to research the answer to a question, only to come across the same question again and waste time re-discovering the answer.

6. Invest in Your Future
Often one of the biggest hurdles for CCIE candidates to overcome is the financial outlay required not only to sit for the lab exam, but also to acquire the required study materials. There is no easy way to avoid spending money up front to prepare for a CCIE exam. Candidates will require books, training, and equipment at a minimum. Some candidates may be fortunate to work in a large Cisco environment and have access to these resources readily at hand; others may not and have to purchase materials on their own.

Whatever the situation, understand that the money spent is not wasted, it's an investment in your future. The amount of risk involved in that investment is entirely up to you and your dedication to the goal. This psychological hurdle, if not overcome, can devastate your chances of passing the exam. Don't hadicap yourself by worrying about the money. If you truly have the willpower to follow through and succeed, your investment will pay for itself exponentially.

5. Study One Task at a Time
Many candidates get anxious about the volume of material included in the lab. While that is certainly true, don't get caught up in the enormity of the exam. If you follow #7 above, then you have a collection of small and manageable learning tasks and an outline to follow. Without an outline to focus you on specific tasks, it's easy to wander between topics and get distracted. Focus on individual tasks, take notes, and complete each task before moving onto the next one. Take it day by day, task by task, and before you know it you will have filled in the entire outline you created.

The one item that I suggest you depart from this advice is regarding lab date scheduling. Be sure to schedule your lab exam well in advance for a few reasons. First, setting a definitive date will help you focus and drive for the finish line in your studies. Second, book a lab date that fits into your schedule. Some tracks are notoriously harder to get a date than other (especially Wireless). Booking it well in advance may be the only option you have, and it sucks to be ready only to find out you will have to wait 4-6 months and stay prepared the entire time. Trust me, it happened to me.

4. Check Your Ego
Put simply, don't assume you know everything. Even if you have worked with the technology for the last decade, review everything in the blueprint and your outline again. Often times I hear of candidates who proclaim they are XYZ experts, only to find out that the way they have always understood or implemented the technology is only one of several valid methods, or worse that they were wrong.

Take the time to review the fundamentals, even if they are not directly on the lab blueprint. Fundamental theory often guides practical implementations, even if differences exist. Knowing the fundamentals will help you synthesize and retain the material more effectively, as well as be better prepared to respond to ambiguous or scenario-based questions (such as the OEQs).

3. Be Willing to Sacrifice
You have to put in the effort and the hours to succeed. Those digits are not given away, they are earned the old-fashioned way - through hard work and commitment. This will mean spending many long nights in the study lab, missing dinners, skipping out on movie nights, and making the exam your top priority. Candidates with spouses, children, or other family responsibilities will find this especially difficult. For these individuals, striking an appropriate balance will be crucial. You will need the support of your family throughout this endeavor, so make sure everyone is on-board with your new schedule. It's likely that exam preparation will consume a year or more of your life.

2. Confidence
You will know more about the track you are studying than almost anyone else. As of today, there have only been 28,000 or so CCIEs, ever! You will be in rare company if you pass. Take that attitude into the exam, after all the act of passing the exam only confirms the knowledge that you have already acquired. The exam does not magically make you an expert, your studies have accomplished that. All that is left is to prove what you already know.

It's my firm belief that most people never even attempt the lab exam because of the psychology involved. Self-impressions and confidence can go a long way to achieving the success you have envisioned for yourself. Act the part and be a self-fulfilling prophecy.

1. Endure Disappointment
Three simple words: Never Give Up! Chances are good that you will NOT pass on your first attempt. Heck, chances are for many people that they won't pass on their second attempt either. Don't get discouraged. Everyone must run the lab gauntlet. There is so much more to the lab exam than just configuring equipment.

Once in the room, the candidate must deal with the anxiety of the exam that has built up over the last year, digest a completely foreign lab topology, correctly analyze and interpret questions and scenarios presented in the workbook, and be fast as lightning configuring the equipment. Oh, and there is the devious little bugger of time management. Even if you know the technology cold, just taking the lab exam for the very first time will kick your butt and you will fail. The candidate will have to deal with mis-direction, ambiguity, and repetitive or out of order tasks. If you're not prepared to deal with each of these, you will fail.

Obviously everyone wants to pass on their first attempt, and that is a great goal to have. But don't let your success or failure on your first attempt dictate the outcome. Be resilient and fill in the gaps exposed if you fail.

Andrew's Take
Overall, if there is one piece of advice that I can give prospective candidates, it would be this:Prepare mentally and the rest will follow!

Cheers,
Andrew vonNagy
CCIE™ #28298 (Wireless)

This material is not sponsored or endorsed by Cisco Systems, Inc. Cisco, Cisco Systems, CCIE and the CCIE Logo are trademarks of Cisco Systems, Inc. and its affiliates. The symbol ™ is included in the Logo artwork provided to you and should never be deleted from this artwork.